Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
From: Jim Manico <jim@xxxxxxxxxx>
Date: Tue, 16 Jan 2007 11:19:27 -1000
In-reply-to: <C1D27E2F.17363%simon@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <C1D27E2F.17363%simon@xxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

A legitimate buyer is not necessarily an ethical buyer. Demand to know
the buyer first, then do your homework. As always, proceed with caution.

- Jim

Simon Smith wrote:
> Amen!
>     KF is 100% on the money. I can arrange the legitimate purchase of most
> working exploits for significantly more money than iDefense, In some cases
> over $75,000.00 per purchase. The company that I am working with has a
> relationship with a legitimate buyer, all transactions are legal. If you're
> interested contact me and we'll get the ball rolling.
>
> -Simon
>    
>
>     $8000.00 USD is low!
>
> On 1/16/07 12:29 PM, "K F (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx> wrote:
>
>   
>> No offense to iDefense as I have used their services in the past... but
>> MY Q1 2007 Challenge to YOU is to start offering your researchers more
>> money in general! I've sold remotely exploitable bugs in random 3rd
>> party products for more $$ than you are offering for these Vista items
>> (see the h0n0 #3). I really think you guys are devaluing the exploit
>> market with your low offers... I've had folks mail me like WOW iDefense
>> offered me $800 for this remote exploit. Pfffttt not quite.
>>
>> We all know black hats are selling these sploits for <=$25k so why
>> should the legit folks settle for anything less? As an example the guys
>> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
>> we decided it was not worth it due to low pay...
>>
>> Low Pay == Not getting disclosed via iDefense....
>>
>> -KF
>>
>>
>>     
>>> I know someone who will pay significantly more per vulnerability against the
>>> same targets. 
>>>
>>>
>>> On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote:
>>>
>>>   
>>>       
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>     
>>>>         
>>> Hash: SHA1
>>>  
>>> Also available at:
>>>
>>>
>>>   
>>>       
>>>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha
>>>> ll
>>>> enge
>>>>     
>>>>         
>>> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
>>>   
>>>       
>>>> in
>>>>     
>>>>         
>>> Vista & IE 7.0*
>>>
>>> Both Microsoft Internet Explorer and Microsoft Windows
>>>   
>>>       
>>>> dominate their
>>>>     
>>>>         
>>> respective markets, and it is not surprising that the decision
>>>   
>>>       
>>>> to
>>>>     
>>>>         
>>> update to the current release of Internet Explorer 7.0 and/or Windows
>>> Vista
>>>   
>>>       
>>>> is fraught with uncertainty.  Primary in the minds of IT
>>>>     
>>>>         
>>> security
>>>   
>>>       
>>>> professionals is the question of vulnerabilities that may be
>>>>     
>>>>         
>>> present in these
>>>   
>>>       
>>>> two groundbreaking products.
>>>>     
>>>>         
>>> To help assuage this uncertainty, iDefense Labs
>>>   
>>>       
>>>> is pleased to announce
>>>>     
>>>>         
>>> the Q1, 2007 quarterly challenge.
>>>
>>> Remote Arbitrary
>>>   
>>>       
>>>> Code Execution Vulnerabilities in Vista and IE 7.0
>>>>     
>>>>         
>>> Vulnerability
>>>   
>>>       
>>>> Challenge:
>>>>     
>>>>         
>>> iDefense will pay $8,000 for each submitted vulnerability that
>>>   
>>>       
>>>> allows
>>>>     
>>>>         
>>> an attacker to remotely exploit and execute arbitrary code on either
>>> of
>>>   
>>>       
>>>> these two products.  Only the first submission for a given
>>>>     
>>>>         
>>> vulnerability will
>>>   
>>>       
>>>> qualify for the award, and iDefense will award no
>>>>     
>>>>         
>>> more than six payments of
>>>   
>>>       
>>>> $8000.  If more than six submissions
>>>>     
>>>>         
>>> qualify, the earliest six submissions
>>>   
>>>       
>>>> (based on submission date and
>>>>     
>>>>         
>>> time) will receive the award.  The iDefense Team
>>>   
>>>       
>>>> at VeriSign will be
>>>>     
>>>>         
>>> responsible for making the final determination of whether
>>>   
>>>       
>>>> or not a
>>>>     
>>>>         
>>> submission qualifies for the award.  The criteria for this phase
>>>   
>>>       
>>>> of
>>>>     
>>>>         
>>> the challenge are:
>>>
>>> I) Technologies Covered:
>>> - -    Microsoft Internet
>>>   
>>>       
>>>> Explorer 7.0
>>>>     
>>>>         
>>> - -    Microsoft Windows Vista
>>>
>>> II) Vulnerability Challenge
>>>   
>>>       
>>>> Ground Rules:
>>>>     
>>>>         
>>> - -    The vulnerability must be remotely exploitable and must
>>>   
>>>       
>>>> allow
>>>>     
>>>>         
>>> arbitrary code execution in a default installation of one of
>>>   
>>>       
>>>> the
>>>>     
>>>>         
>>> technologies listed above
>>> - -    The vulnerability must exist in the
>>>   
>>>       
>>>> latest version of the
>>>>     
>>>>         
>>> affected technology with all available patches/upgrades
>>>   
>>>       
>>>> applied
>>>>     
>>>>         
>>> - -    'RC' (Release candidate), 'Beta', 'Technology Preview'
>>>   
>>>       
>>>> and
>>>>     
>>>>         
>>> similar versions of the listed technologies are not included in
>>>   
>>>       
>>>> this
>>>>     
>>>>         
>>> challenge
>>> - -    The vulnerability must be original and not previously
>>>   
>>>       
>>>> disclosed
>>>>     
>>>>         
>>> either publicly or to the vendor by another party
>>> - -    The
>>>   
>>>       
>>>> vulnerability cannot be caused by or require any additional
>>>>     
>>>>         
>>> third party
>>>   
>>>       
>>>> software installed on the target system
>>>>     
>>>>         
>>> - -    The vulnerability must not
>>>   
>>>       
>>>> require additional social engineering
>>>>     
>>>>         
>>> beyond browsing a malicious
>>>   
>>>       
>>>> site
>>>>     
>>>>         
>>> Working Exploit Challenge:
>>> In addition to the $8000 award for the
>>>   
>>>       
>>>> submitted vulnerability,
>>>>     
>>>>         
>>> iDefense will pay from $2000 to $4000 for working
>>>   
>>>       
>>>> exploit code that
>>>>     
>>>>         
>>> exploits the submitted vulnerability.  The arbitrary code
>>>   
>>>       
>>>> execution
>>>>     
>>>>         
>>> must be of an uploaded non-malicious payload.  Submission of
>>>   
>>>       
>>>> a
>>>>     
>>>>         
>>> malicious payload is grounds for disqualification from this phase of
>>> the
>>>   
>>>       
>>>> challenge.
>>>>     
>>>>         
>>> I) Technologies Covered:
>>> - -    Microsoft Internet Explorer 7.0
>>> -
>>>   
>>>       
>>>> -    Microsoft Windows Vista
>>>>     
>>>>         
>>> II) Working Exploit Challenge Ground
>>>   
>>>       
>>>> Rules:
>>>>     
>>>>         
>>> Working exploit code must be for the submitted vulnerability only
>>>   
>>>       
>>>> 
>>>>     
>>>>         
>>> iDefense will not consider exploit code for existing vulnerabilities
>>> or new
>>>   
>>>       
>>>> vulnerabilities submitted by others.  iDefense will consider
>>>>     
>>>>         
>>> one and only one
>>>   
>>>       
>>>> working exploit for each original vulnerability
>>>>     
>>>>         
>>> submitted.
>>>
>>> The minimum award
>>>   
>>>       
>>>> for a working exploit is $2000.  In addition to the
>>>>     
>>>>         
>>> base award, additional
>>>   
>>>       
>>>> amounts up to $4000 may be awarded based upon:
>>>>     
>>>>         
>>> - -    Reliability of the
>>>   
>>>       
>>>> exploit
>>>>     
>>>>         
>>> - -    Quality of the exploit code
>>> - -    Readability of the exploit
>>>   
>>>       
>>>> code
>>>>     
>>>>         
>>> - -    Documentation of the exploit code
>>>
>>>
>>> -----BEGIN PGP
>>>   
>>>       
>>>> SIGNATURE-----
>>>>     
>>>>         
>>> Version: GnuPG v1.4.3 (MingW32)
>>> Comment: Using GnuPG with
>>>   
>>>       
>>>> Mozilla - http://enigmail.mozdev.org
>>>>     
>>>>         
>>>   
>>> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
>>> QkO9IXq+PsC6
>>>   
>>>       
>>>> bMKg7j6Dwfw=
>>>>     
>>>>         
>>> =N0am
>>> -----END PGP
>>>   
>>>       
>>>> SIGNATURE-----
>>>>     
>>>>         
>>> _______________________________________________
>>> Full-Disclosur
>>>   
>>>       
>>>> e - We believe in it.
>>>>     
>>>>         
>>> Charter:
>>>   
>>>       
>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>     
>>>>         
>>> Hosted and sponsored by
>>>   
>>>       
>>>> Secunia - http://secunia.com/
>>>>     
>>>>         
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>   
>>>       
>
>
>
>
>   

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim@xxxxxxxxxx
808.652.3805

References:
- Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
  - From: Simon Smith

Prev by Date: Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Next by Date: Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Previous by thread: Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Next by thread: Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Index(es):
- Date
- Thread